Mobile phone tracking: it’s not personal

Will the Privacy Act protect you from being identified by your mobile phone address? Santos "Grim Santo" Gonzalez/Flickr, CC BY-SA

What does privacy mean in an age of ongoing privacy breaches? With new privacy law coming online in Australia on March 12, our Privacy in Practice series explores the practical challenges facing Australian business and consumers in a world rethinking privacy.

Mobile phone tracking techniques are becoming more commonplace. Waste bins target ads. Shopping centres follow customers. Spooks follow airport passengers. Will the Privacy Act’s new definition of personal information provide enhanced protections against mobile phone tracking? Not really. Here’s why.

Defining what’s personal

The Privacy Act covers personal information. Any information that is not personal information is not covered by the Act. Under the new definition, personal information is information:

about an identified individual, or an individual who is reasonably identifiable.

Information can therefore be personal information in two ways. The first where information directly identifies an individual - what we normally think of as our “personal information”. In other words, the unique identifiers needed for our lives. Our name. Our email address. Our credit card number.

The second where information does not directly identify an individual, but that information can be combined with other information to identify that individual. A residential address is a good case in point.

An address does not identify an individual directly. 742 Evergreen Terrace is not an unique identifier. However, 742 Evergreen Terrace can be used as a means to combine different pieces of non-personal information together to reveal the identity of an individual. 742 Evergreen Terrace + Duff Beer drinker + doughnut consumer + balding haed + nuclear power plant worker = Homer Simpson.

Check it out yourself. Next time you log on to Facebook, try the Facebook Graph Search. Enter a range of different “Likes”. You may have to play around but you can generally go from millions of individual Facebook users to one user with a small number of combinations. It’s an example of Arvind Narayanan’s 33 Bits of Entropy. You can identify an individual from any population by combining a maximum of 33 pieces of random non-personal information around a single point. It is this “singling out” type of harm that is central to the definition of personal information.

The reasonable part

Does that mean any piece of information could be personal information? Potentially yes and that’s problematic because the Privacy Act is not designed for application to all information. The definition gets around this problem through its “reasonable” element. Information will only be personal information if an individual is “reasonably identifiable”.

A reasonable identification refers to an organisation’s ability to combine information to identify an individual within “moderate steps” that leads to actual identification. In other words, identification is doable without too much trouble.

What is too much trouble will vary between different organisations. For example, Google’s moderate steps would be vastly different to most other organisations which do not have Google’s resources, skills and capacities.

UK company Renew used hi-tech bins to deliver targeted advertising. Tal Cohen/EPA

Waste bins & information about individuals

The new definition, like the old one, refers to information about individuals. However, actions that threaten privacy no longer just concern information “about” us. They now more readily concern information that “relates” to us. Mobile phone tracking is a case in point. Let’s look at those waste bins to find out why.

In 2013, Renew, a UK company found itself embroiled in a privacy scandal. The City of London installed waste bins provided by the company that broadcast video adverts.

Renew then went one step further. It created a network of sensors called Presence Orb paid for by retailers that recorded the details of when a mobile phone’s medium access control (MAC) address came within the range of a sensor.

The MAC address is unique to the phone’s wi-fi network card. A MAC address can be changed with a degree of technical know-how but it is generally viewed as an unique identifier. When the phone passed one of those bins, the bin recognised the MAC address and then broadcast a video advert for the retail company. Targeted ads via mobile phone tracking.

Would this be a privacy infringement in Australia? It is possible the collection of MAC address details would have been an unfair collection. But it first depends whether a MAC address would be classed as personal information.

MAC addresses are device identifiers. They are information about devices rather than individuals. They do not directly identify individuals. The issue therefore is whether an individual is reasonably identifiable from a MAC address. As highlighted above, this issue is inherently contextual. It depends on the circumstances of use so it is difficult to determine an answer without a more rigorous analysis of Presence Orb’s sensor network.

This example highlights the general problem with information about individuals as a basis for defining personal information. It does not automatically include information about our devices that relates to us especially in the lives we live today. The EU’s Article 29 Data Protection Working Party best summarised the issue

Smart mobile devices are inextricably linked to natural persons. There is usually direct and indirect identifiability.

In other words, the link between our mobile phone and ourselves is such that information that relates to us (e.g. a mobile’s MAC address) has to be seen as information about us. The extent to which mobile phone tracking will be covered by the Privacy Act is unclear. It will primarily depend on whether an individual is reasonably identifiable from the collection and use of MAC address information.

A definition of personal information that incorporates information “about” individuals and reasonable identifiability still provides protections. But the Privacy Act’s new definition of personal information provides less flexibility when considering the privacy consequences of smart tracking technologies that will become more prevalent with the onset of the sensor society.

The new definition of personal information is consequently a missed opportunity and more legal guidance will be required to clearly outline how the inextricable link between us and our devices will operate under the auspices of the Privacy Act.